|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Buggy ARP handling in Windoze
From: Paul Starzetz (paul
STARZETZ.DE)Date: Thu Jun 29 2000 - 11:50:44 CDT
- Next message: IPD: "Update to Integrity Protection Driver Available"
- Previous message: Theo de Raadt: "Re: WuFTPD: Providing *remote* root since at least1994"
- Next in thread: Jurjen Oskam: "Re: Buggy ARP handling in Windoze"
- Reply: Jurjen Oskam: "Re: Buggy ARP handling in Windoze"
- Reply: Steven Alexander: "Re: Buggy ARP handling in Windoze"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I discovered a strange bug in the ARP handling under Windows 98/latest
Winsock patch (IGMP). Win98 (at almost Win95 as far as tested) would not
handle static ARP entries correctly. Setting up an static ARP cache
entry like:
c:\windows\arp.exe -s host_ip host_mac
do not immunise against spoofed ARP packet, if someone on the subnet is
playing with ARP and regardless the opcode an ARP packet with
arp_protocol_address == host_ip arrives, Windose will update the
'static' entry to the MAC whatever the ARP packet points to. So a
'static' entry means, the entry wouldn't be deleted and remains for
ever in the cache. This is not really the behaviour we want :-)
Note that Lunix will behave correctly (tested against 2.2.16 kernels),
so setting an static ARP for a host protects your box from ARP spoofing.
Of course, you may set up static ARP table and then run a firewall on
each machine to filter further ARP....
- Next message: IPD: "Update to Integrity Protection Driver Available"
- Previous message: Theo de Raadt: "Re: WuFTPD: Providing *remote* root since at least1994"
- Next in thread: Jurjen Oskam: "Re: Buggy ARP handling in Windoze"
- Reply: Jurjen Oskam: "Re: Buggy ARP handling in Windoze"
- Reply: Steven Alexander: "Re: Buggy ARP handling in Windoze"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]